ChicagoVPS hacked, bunch of VPS customers offline

mpkossen

I think that one thing we learned from all of this is that SolusVM and @soluslabs are a bunch of idiots on high horses who we'd better leave alone. Of course, some (including @Francisco) already knew this, but their responses to @CVPS_Chris only emphasize it.

There's this song from the film TED in which you can nicely replace 'thunder' with 'solus'...

soluslabs

@mpkossen said: I think that one thing we learned from all of this is that SolusVM and @soluslabs are a bunch of idiots on high horses who we'd better leave alone.

Heh?

There is nothing wrong with the API. We have checked the code and it's fine. CVPS have contacted us with a very vague reply that gives no details whatsoever.

ShardHostSarah

@CVPS_Chris said: Was not out fault, software issue as explained. It has been replicated and can still happen to anyone else here.

I assume this 'software issue'

@mpkossen said: I think that one thing we learned from all of this is that SolusVM and @soluslabs are a bunch of idiots on high horses who we'd better leave alone. Of course, some (including @Francisco) already knew this, but their responses to @CVPS_Chris only emphasize it.

There's this song from the film TED in which you can nicely replace 'thunder' with 'solus'...

Until CVPS actually come out and say this is a SolusVM exploit and it is confirmed I think this is highly unfair. SolusLabs have been making rapid improvements to SolusVM lately which I particularly appreciate.

mpkossen

@soluslabs said: Heh?

There is nothing wrong with the API. We have checked the code and it's fine. CVPS have contacted us with a very vague reply that gives no details whatsoever.

I didn't say anything is wrong with the API, it's more with the product in general and your apparent attitude. The API could be fine.

Spirit

@mpkossen said: I think that one thing we learned

&&

@mpkossen said: it's more with the product in general and your apparent attitude.

You haven't learn anything and obviously you didn't read thread at all. What apparent attitude? Are you talking about ChicagoVPS issue at all? Are you talking about same things we all see here or you took oportunity for some generalised random statement without merit?

Someone compared this thread with "HyperVM fiasco" and said something like history repeats itself. Indeed. But not as people with bad memory see it. When Vaserv have been hacked they have been hacked because their owner password was compromised not because HyperVM (which wasn't without issues for sure) fault however in this incident Vaserv used it just as scapegoat and till this date people keep in their mind "HyperVM - something bad" connotation.
And now again, history repeats itself.. with image damage caused to them by ChicagoVPS unresponsible statement people will blame SolusVM next 5 years or so... without any evidence that it was fault at their side at all.
It's just scary to see how much long term damage can cause to some brand one single guy statement with only purpose to saving his own ass with puting blame on others..

soluslabs

@mpkossen said: I didn't say anything is wrong with the API, it's more with the product in general and your apparent attitude. The API could be fine.

At the end of the day we care about our product. If someone attacked your product/company i would like to think you would defend it.

I'm not even going into the Frantech case.. end of.

Spirit

@soluslabs thank you for keeping us informed.

Jacob

+1

@Spirit said: thank you for keeping us informed.

shaunpud

Maybe try the @Francisco solution here?
http://blog.backblaze.com/2012/10/31/10-spooky-data-loss-stories/

averell

Solus didn't fix non-alphanumeric passwords in years, don't use PDO etc, so it's quite clear to me their product is probably as secure as a used diaper. Still, in this particular case the FUD level is so high, it seems obvious ChicagoVPS is hiding details of this incident on purpose. Wether it's only to cover their asses will be seen later.

eastonch

@averell what's with the hate on SVM? Their code may be "deprecated" by not using pdo and other such things; but it's survived alot? All exploits are patched within hours; and security notices are thrown out often.

averell

@eastonch, it's not hate. After all, they are market leader in the low-end segment. That doesn't make their product good though. There are just too many issues they were incapable of fixing in any reasonable timeframe. This gives the general impression that the code-quality seems at maybe the high-school project level, otherwise a simple fix would be simple instead of taking years. Also, as can be seen here, they try hard. To get back on track, in this case until proven otherwise I'm assuming they have no fault here.

Francisco

@shaunpud said: Maybe try the @Francisco solution here?

http://blog.backblaze.com/2012/10/31/10-spooky-data-loss-stories/

That's hilarious but not me :P

Francisco

mpkossen

@Spirit said: You haven't learn anything and obviously you didn't read thread at all. What apparent attitude? Are you talking about ChicagoVPS issue at all? Are you talking about same things we all see here or you took oportunity for some generalised random statement without merit?

I'm not just talking about the issue here (ChicagoVPS and SolusLabs contradicting each other), I'm talking about issues in general (some in the past) related to SolusLabs and their communication. What Francisco said only emphasizes it. SolusVM is all over this thread, so it's not that strange to take a turn on that as well. We don't know whether it was ChicagoVPS' fault or SolusVM's fault. I never pointed fingers about the current issue.

@soluslabs said: At the end of the day we care about our product. If someone attacked your product/company i would like to think you would defend it.

I don't blame you for defending your product. I would do the same. However, I do blame you for the apparent lack of care for security in your product. Take a look at some of the things @joepie91 said. Also, some things in your product make me shudder. I'm willing to explain some of these, but this is not the place.

HalfEatenPie

@mpkossen said: I'm willing to explain some of these, but this is not the place.

Send them a PM then instead of calling them out on a public forum.

nunim

When this first started didn't CVPS state that another provider was also affected? Anyone know who?

pubcrawler

Yeah I think @numim, that was the allegation.

Everyone pointed to every known provider they knew to be down.

Nothing was clear about who this mythical provider, the second one was. Maybe it was Colocrossing ? Do they have VPS offers directly?

joepie91

@eastonch said: @averell what's with the hate on SVM? Their code may be "deprecated" by not using pdo and other such things; but it's survived alot? All exploits are patched within hours; and security notices are thrown out often.

They are not using PDO, and have a history of several SQLi vulnerabilities as a result. There is no indication that they intend on rewriting the code to use PDO any time soon. They barely respond to feedback on the security front (as evidenced in this thread), and are trying to roll their own security functionality instead of using tested and proven working existing functionality.

That seems like enough to consider their software horribly insecure.

This is a VPS panel we're talking about, not some random forum.

soluslabs

@mpkossen said: I don't blame you for defending your product. I would do the same. However, I do blame you for the apparent lack of care for security in your product. Take a look at some of the things @joepie91 said.

Oh you mean this part? "fetch all users first and then compare"

It needs to be done this way because the API information is two way encrypted in the database. You can't decrypt it unless you pull it first.

And the part about PDO?

mysql_ can still be as safe as using PDO_MYSQL. A PDO prepared statement can still be susceptible to an SQL injection attack. We have had plans for a while now to phase out mysql_ and will continue with these in due course.

soluslabs

@joepie91 said: They barely respond to feedback on the security front (as evidenced in this thread)

Why would you give details on how your security works on a public forum? Like you say it's a vps panel.. it's the last place to post it.

@joepie91 said: trying to roll their own security functionality instead of using tested and proven working existing functionality.

Who said that? None of our data encryption is done using our own in-house functions.

joepie91

@soluslabs said: It needs to be done this way because the API information is two way encrypted in the database. You can't decrypt it unless you pull it first.

Why are you encrypting API logins?

@soluslabs said: mysql_ can still be as safe as using PDO_MYSQL

No, not really. It's quite easy to miss a variable when escaping stuff, even if you've made a habit out of it, as evidenced by your at least two (!) past SQLi vulnerabilities.

@soluslabs said: A PDO prepared statement can still be susceptible to an SQL injection attack.

You're kidding, right?

$statement = $database->prepare("SELECT * FROM users WHERE `username` = :Username");
$statement->bindValue(":Username", $_POST['username'], PDO::PARAM_STR);
$statement->execute();

Please tell me how this is in any way, shape or form vulnerable.

@soluslabs said: We have had plans for a while now to phase out mysql_ and will continue with these in due course.

Will you be rewriting your existing code, and what is the priority on this phasing out?

joepie91

@soluslabs said: Why would you give details on how your security works on a public forum? Like you say it's a vps panel.. it's the last place to post it.

If you have to hide your security to make it effective, there is something HORRIBLY wrong with your code.

@soluslabs said: Who said that? None of our data encryption is done using our own in-house functions.

You did, when you told us the API keys were generated with a 'custom function' that used the installation ID.

soluslabs

@joepie91 said: Why are you encrypting API logins?

For security..............

@joepie91 said: Please tell me how this is in any way, shape or form vulnerable.

I'm saying it can still be susceptible to an SQL injection attack.

@joepie91 said: Will you be rewriting your existing code, and what is the priority on this phasing out?

In due course.

joepie91

@soluslabs said: For security..............

How does that add any security? Encryption is effectively pointless when the same machine holding the data, can also decrypt the data without human intervention.

@soluslabs said: I'm saying it can still be susceptible to an SQL injection attack.

And I just asked you to explain how, and gave you a bog standard example of a prepared query. Why are you not answering that question?

@soluslabs said: In due course.

That does not really give any information we didn't already have.

TheHackBox

+1 @joepie91

rchurch

@joepie et al This discussion is about the CVPS hack and unless there is proof that it was due to a flaw in SolusVM then any exchanges about flaws in SolusVM or an inadequate approach to security on their part should be in a separate discussion.

However annoying a laid back approach to security may be on a vendor's part it I think this issue should be discussed in dedicated thread.

PS. I am not related or have an interest in soluslabs in anyway. The nearest I ever get to them is when I need to manage my VPS.

soluslabs

@rchurch said: However annoying a laid back approach to security may be on a vendor's part it I think this issue should be discussed in dedicated thread.

Too right. I'm all for a thread like that. There's a lot of software vendors who don't take security seriously. I'm pleased were not one of them. Maybe it should be on a more reputable forum though. I don't think LET should be the place.

AlexBarakov

@soluslabs said: Maybe it should be on a more reputable forum though. I don't think LET should be the place.

That wasn't really nice.

Mun

LOL put it on my forum, no one goes on there anyways XD

soluslabs

@Alex_LiquidHost said: That wasn't really nice.

Maybe i worded it wrong. I've seen several threads on here where users refer to it as a playground.